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Abstract 

We present a simplified framework for proving sequential composability in the quantum 
setting. In particular, we give a new, simulation-based, definition for security in the bounded- 
quantum-storage model, and show that this definition allows for sequential composition of pro- 
tocols. Damgard et al. (FOCS '05, CRYPTO '07) showed how to securely implement bit 
commitment and oblivious transfer in the bounded-quantum-storage model, where the adver- 
sary is only allowed to store a limited number of qubits. However, their security definitions did 
only apply to the standalone setting, and it was not clear if their protocols could be composed. 
Indeed, we first give a simple attack that shows that these protocols are not composable without 
a small refinement of the model. Finally, we prove the security of their randomized oblivious 
transfer protocol in our refined model. Secure implementations of oblivious transfer and bit 
commitment then follow easily by a (classical) reduction to randomized oblivious transfer. 

1 Introduction 

Secure two-party computation [36] allows two mutually distrustful players to jointly compute the 
value of a function without revealing more information about their inputs than can be inferred 
from the function value itself. In this context, the primitives known as bit commitment (BC) [6] 
and oblivious transfer (OT) |441 [33l [19] are of particular importance: any two-party computation 
can be implemented, provided these two primitives are available [20 ], [23 | [15]. 

In bit commitment, the committer (Alice) secretly chooses a bit b, and commits herself to b by 
exchanging messages with the verifier (Bob). From the commitment alone, Bob should not be able 
to gain any information about b. Yet, when Alice later reveals b and opens the commitment by 
exchanging messages with Bob, he can verify whether Alice is truthful and had indeed committed 
herself to b. In oblivious transfer, the sender (Alice) chooses two bits xo an d x\, the receiver (Bob) 
chooses a bit c. The protocol of oblivious transfer allows Bob to retrieve x c in such a way that 
Alice cannot gain any information about c. At the same time, Alice can be ensured that Bob only 
retrieves x c and no information about the other input bit xi_ c . 

Unfortunately, BC and OT are impossible to implement securely without any additional as- 
sumptions, even in the quantum model [29, 26j. This result holds even in the presence of the 
so-called superselection rules [24J. Exact tradeoffs on how well we can implement BC in the quan- 
tum world can be found in [39]. To circumvent this problem (in both, the classical and the quantum 



* Supported by EU fifth framework project QAP 1ST 015848 and the NWO vici project 2004-2009. 



1 



case), we thus need to assume that the adversary is limited. In the classical case, one such limiting 
assumption is that the adversary is computationally bounded, i.e., he is restricted to a polynomial 
time computations (see e.g. [311 [H]). In the quantum model, it is also possible to securely im- 
plement both protocols provided that an adversary cannot measure more than a fixed number of 
qubits simultaneously [37] • Very weak forms of string commitments can also be obtained [7J. 

The Bounded-Quantum-Storage Model. Of particular interest to us is the bounded-storage 
model. Here, the adversary is bounded in space instead of time, i.e., she is only allowed to use a 
certain amount of storage space. Both OT and BC can be implemented in this model [Sj. Yet, the 
security of a classical bounded-storage model [271 E] is somewhat unsatisfactory: First, a dishonest 
player needs only quadratically more memory than the honest one. Second, as classical memory is 
very cheap, most of these protocols require a huge amount of communication in order to achieve 
reasonable bounds on the adversaries memory. In the quantum case, on the other hand, it is very 
difficult to store states even for a very short period of time. This leads to the protocol presented in 
OE], which show how to implement BC and OT if the adversary is not able to store any qubits 
at all. In [171 116j. these ideas have been generalized in a very nice way to the bounded- quantum- 
storage model, where the adversary is computationally unbounded and allowed to have an unlimited 
amount of classical memory. However, he is only allowed a limited amount of quantum memory. 
The advantages over the classical bounded-storage model are two fold: First, given current day 
technology it is indeed very hard to store quantum states. Secondly, here the honest player does 
not require any quantum storage at all, making the protocol implementable using present day 
technology. 

Security Definitions and Composability. Cryptographic protocols (especially protocols that 
implement very basic functionalities such as BC or OT) are almost never executed on their own. 
They are merely used as building blocks for larger, more complicated applications. However, it is 
not clear that the composition of secure protocols will remain secure. Formal security definitions 
for secure function evaluation have first been proposed in [30] and [2]. These definitions use the 
simulation paradigm invented in [21j to define zero-knowledge proofs of knowledge. In [10] it has 
been shown formally that these definitions imply that protocols can be composed sequentially. 
Sequential composition implies that protocols can be composed in an arbitrary way, as long as 
at any point in time exactly one protocol is running. All other protocols have to wait until that 
protocol stops. A stronger security definition called universal composability has been introduced 
in [32l [T]. It guarantees that protocols can be securely composed in an arbitrary way (also 
concurrently) in any environment. 

Simulation-based security requires that for any adversary attacking the real protocol there 
exists a simulator in the ideal setting, i.e. where the players only have black-box access to an 
ideal functionality, such that the environment cannot distinguish between the real and the ideal 
setting. To make the protocol sequentially composable, we have to allow the adversary to receive 
some auxiliary input from the environment, which could contain information from a previous run 
of the protocol, the larger application that the protocol is embedded in, or any other information 
that the environment might pass to the adversary in an attempt to distinguish between the real 
from the ideal setting. In the quantum case, this auxiliary input is an arbitrary quantum state, 
unknown to the adversary or the simulator. This presents us with two additional difficulties we 
do not encounter in the classical setting: First, the simulator cannot determine what this input 
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state is without disturbing the state, which could be detected by the environment. Second, the 
input state may be entangled with the environment. Based on earlier work in [32], a simulation- 
based framework for secure quantum multi-party computation has been presented in [38]. That 
framework offers sequential composability, however no composability theorem was presented there. 
Universal composability in the quantum world has been introduced in [JJ, and independently in 
|41j . Their framework is very powerful. But, due to their complexity, hard to apply. 

In [30], it has been shown that classical protocols which have been proven to be universally 
composable using their classical definitions, are secure against quantum adversaries. This is result 
is very useful, as it allows us to use many classical protocols also in the quantum setting. Great 
care must be taken in the definition of security in the quantum setting: For example, the standard 
security definition for QKD based on accessible information does not imply composability [25] . 

1.1 Contribution 

In [16], protocols for OT and BC have been presented and shown to be secure against bounded 
quantum adversaries. However, the proofs only guarantee security in a standalone setting. Indeed, 
a very simple attack shows that they are not composable. The main contribution of this paper 
is to give a formal framework for security in the bounded-quantum-storage model, and to show 
that modified versions of these protocols are sequentially composable. Hence, they can be used as 
building blocks in other protocols. 

Proofs in [lTl I16j do not imply Composability. When considering composable security, we 
need to allow the adversary to receive some auxiliary quantum input. This has not been considered 
in the security definitions used in [171 I16j . When we allow this, we are faced with two major 
problems: First, in the security proof of [16j . the receivers choice bit can only be extracted by the 
simulator if the distribution of the senders random string given the receivers classical knowledge 
is known, which is not the case if the adversary has auxiliary input. Second, the memory bound 
is only enforced at one specific step in their protocol, while during the rest of the protocol, the 
adversary is allowed unlimited memory. The following very simple EPR-attack shows how the 
protocol can then be broken: We let the adversary receive an arbitrary number of halves of EPR- 
pairs from the environment as his auxiliary input, and run the protocol as before. Then, just before 
the memory bound is applied, he teleports his whole quantum memory to the environment. The 
classical communication needed to teleport can be part of the adversaries classical storage that 
he later outputs. Thus, the adversary can artificially increase his own storage by borrowing some 
quantum memory from the environment. 

One possibility to overcome the second problem is to limit the memory of the environment. Yet, 
this solutions seems very unsatisfactory: While we may be willing to accept that, say, a smart-card 
cannot store more than 100 qubits, this is much less clear for the environment. How could we place 
any limitations on the environment at all? In our framework, we thus always allow the environment 
to have an arbitrary amount of quantum memory, but limit the adversaries memory. 

Composable Security in the Bounded-Quantum-Storage Model. We start by presenting 
a formal model for secure two-party computation in the bounded-quantum-storage model. Our 
model is quite similar to the model presented in [38] . and provides offline- security. Then, we show 
that our model implies that secure protocols are sequentially composable. 
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Second, we slightly modify the model from [16] and prove the security of randmomized OT in 
our refined model, which implies that the protocol is composable. In particular, we introduce a 
second memory bound into the protocol, which limits the amount of quantum auxiliary input the 
adversary may receive. We show that the simulator can extract the choice bit, even if the auxiliary 
quantum input remains completely unknown to him, and that the protocol is secure even if the 
quantum memory of the environment is unbounded. It turns out that the protocol only remains 
secure for a smaller memory bound in our model. 

Third, we give well-known classical reductions of BC and OT to randomized OT in the appendix, 
and prove that they are secure in our model. Using the idea from [3J, this also implies that the two 
players can precompute ROT, and, at a later point in time, they can use it to implement either an 
OT or a BC, for which they only need classical communication. 

Since the proof presented in [40J carries over to our model, secure function evaluation in the 
bounded-quantum-storage model can be achieved by simply using the (classical) universal compos- 
able protocols presented in [18], which are based on [15]. Note that because our implementation of 
OT is physical, the results presented in [12] cannot be applied. 

Outline In Section [21 we introduce the basic tools that we need later. In Section El we define a 
framework that provides offline security in the bounded-quantum-storage model, which implies that 
protocols can be composed sequentially. In Section HI we then prove the security of the randomized 
oblivious transfer protocol from [16] in our refined model. In the appendix, we show that secure 
implementations of oblivious transfer and bit commitment follow by a (classical) reduction to 
randomized oblivious transfer. 

2 Preliminaries 

2.1 Notation 

We assume general familiarity with the quantum model [22J. Throughout this paper, we use the 
term computational basis to refer to the basis given by {|0), |1)}. We write + for the computational 
basis, and let |0)+ = |0) and |1) + = |1). The Hadamard basis is denoted by x, and given by 
{|0) x ,|l) x }, where |0) x = (|0> + \1))/V2 and |l) x = (|0> - |1))/V2. For a string x € {0,1}™ 
encoded in bases b G {+, x} n , we write — |^i/6i? ••• 3 )b n - We also use to denote +, and 1 
to denote x. Finally, we use xi c to denote the sub-string of x consisting of all Xj where hi = c. 

We use the font A to label a quantum register, corresponding to a Hilbert space A. A quantum 
channel from A to B is a completely positive trace preserving (CPTP) map A : A — > B. We also 
call a map from A to itself a quantum operation. Any quantum operation on the register A can be 
phrased as a unitary operation on A and an additional ancilla register A 1 , where we trace out A' 
to obtain the actions of the quantum operation on register A [22J. We use §(A) to refer to the set 
of all quantum states in A, and T(A) to refer to the set of all Hermitian matrices in A. We use 
U to refer to a quantum operation, upper case letters X to refer to classical random variables, the 
font § for a set, and the font A to refer to a player in the protocol. 

2.2 Distance Measures 

Our ability two distinguish to quantum states is determined by their trace distance. The trace 
distance between two states p,p' £ S(7i) is defined as D(p,p') := \ Tr \p — p'\, where \A\ = V A^A. 
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We also write p = £ p', if D(p,p') < e. For all practical purposes, p = £ p' means that the state 
p' behaves like the state p, except with probability e [35] • For any quantum channel A, we have 
D(A(p), A(p')) < D(p,p'). Furthermore, the triangle inequality holds, i.e., for all p, p' and p", we 
have D(p, p") < D(p, p') + D(p', p"). Let A, A' : A — > B be two quantum channels. If for all p G A, 
we have have A(p) = £ A'(p), we may also write A = £ A'. Let pab G §(»4 <g> .6) be classical on *4, 
i.e. pab = IC^eA" 8> for some distribution Px over a finte set X. We say that ^4 is 

e-close to uniform with respect to B, if D(pab, ^-a/oI <8> P_b) < e, where d = dim(?^4). 

2.3 Uncertainty Relation and Privacy Amplification 

For random variables X and Y with joint distribution Pxy, the smooth conditional min-entropy [36] 
can be expressed in terms of an optimization over events £ with probability at least 1 — e. Let 
Pxs\Y=y( x ) be the probability that {X = x} and £ occur conditioned on Y = y. We have 

Hi.^(X\Y) = max minminf— log Pxf\y-*,(x)). 
mmV ' ' £:Pr(£)>l-e V * V " 

The smooth min-entropy allows us to use the following chain rule which does not hold in the case 
of standard min-entropy. 

Lemma 2.1 (Chain Rule [8l I28[ 136]). Let X, Y, and Z be arbitrary random variables over X, Y 
and Z. Then for all e,e' > 0, 

H*+Z'(X\YZ) > H £ min (XY | Z) - log |Y| - log(l/e'). 

We also need the following monotonicity of the smooth min-entropy 

H £ min (XY I Z) > H^ in (X | Z). 

A function li:§xX-* {0, 1} is called a two-universal hash function [13] : if for all xo ^ ii G X, 
we have Pr[/i(5', xq) = h(S, xi)] < if S 1 is uniform over §. We thereby say that a random variable 
S is uniform over a set S if S is chosen from S according to the uniform distribution. For example, 
the class of all functions from SxX -> {0, l} e is two-universal. Privacy amplification shows a 
two-universal hash function can be used to extract an almost random string from a source with 
enough min-entropy. The following theorem is from [16] , stated slightly differently than the original 
statements in [35], [M] . 

Theorem 2.2 (Privacy Amplification [35 \ 134 ] ). Let X and Z be (classical) random variables dis- 
tributed over X and Z, and let Q be a random state of q qubits. Let h : S x X — > {0, 1} be a 
two-universal hash function and let S be uniform over S. If 

£<H< m (X\Z)-q-2log(l/e) 

, then h(S,X) is (e + 2e')-close to uniform with respect to (S,Z,Q). 

The following lemma follows from the uncertainty relation presented in [16] by a simple purifi- 
cation argument and by fixing the parameter A such that the error is at most e. (see Appendix) 
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Lemma 2.3. Let X G {0, l} n be a uniform random string, let B G {+, x} n be a uniform random 
basis. Let \X)b = (\Xi)b 1 , ■ ■ ■ ,\X n )B n ) be a state of n qubits, and let K be the outcome of an 
arbitrary measurement of \X)b, which does not depend on X and B. Then, for any e, we have 



which is positive if n > 8000 log (1/e). 

3 Security in the Bounded- Quantum- Storage Model 

We now give a definition of offline-security in the bounded-quantum-storage model, and show that 



First of all, we assume that there is a global clock, that divides time into discrete rounds. We 
look at the following setting: Two players, A and B, execute a protocol P = (Pa,Pb)> where Pa 
is the program executed by A and Pb the program executed by B. Before the first round, each 
program receives an input (that might be entangled with the input of the other player) and stores it. 
In each round, each program may first send/receive messages to/from a given functionality G, then 
apply a quantum operation to its current internal storage (including the message space), and finally 
send/receive further messages at the end of each round. G defines the communication resources 
available between the players, modeled as an interactive quantum functionality. It may contain 
a classical and/or a quantum communication channel, or other functionalities such as oblivious 
transfer or bit commitment. Finally, in the last step of the protocol each program outputs an 
output value. Note that the execution of P using G — denoted by P(G) — is a quantum channel, 
which takes the input of both parties to the output of both parties. We also use the term interface 
of a player, to denote the interface presented by his program. 

Players may be honest, which means that they follow the protocol, or they may be corrupted. 
All corrupted players belong to the adversary, A C {A, B}. We ignore the case where both players 
are corrupted, and we assume that this set is static, i.e., it is already fixed before the protocol 
starts. We only consider the case where the adversary is active, i.e., the adversary may not follow 
the protocol. The adversary A = {p} may replace his part of the protocol P p by another program 
A p . Opposed to P p , A p receives some auxiliary (quantum) input in the first round that may also 
be entangled with the environment. We do not restrict the computational power of A p in any way, 
however we do limit its internal quantum storage to a certain memory-bound of m qubits. We call 
such a A p m-bounded. A p is allowed to perform arbitrary quantum operations in each round of 
the protocol. However after receiving his input, and after every round, all of his internal memory 
is measured, except for m qubits H A p is not allowed to input or output any additinal data during 
the execution of the protocol. The execution of P using G, where P p has been replaced by A p , 
is again a quantum channel, which maps the inputs of both players and the auxiliary input of the 
adversary to the outputs produced by both programs. 

The ideal functionality defines what functionality we expect the protocol to implement. For the 
moment we only consider non-interactive functionalities, i.e., both players can send it input only 

Sequentially means that any given time only one sub-protocol is executed. 

2 Note that we enforce the memory bound after every round to keep the model simple. Later, in the security proof 
of our randomized OT protocol, we see that the bound needs only to be enforced twice. A practical implementation 
may introduce a wait time at these points to make sure the quantum memory physically decoheres. 
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once at the beginning, and obtain the output only once at the end. These functionalities have the 
form of a quantum channel. To make the definitions more flexible, we allow F to look differently 
depending on whether both players are honest, or either A or B belongs to the adversary. So the 
ideal functionality is in fact a collection of functionalities, F = (F0, F{ A }, F{ B }). F0 denotes the 
functionality for the case when both players are honest, and F{a} and F{b} for the cases when 
A or B respectively are dishonest. We require that the honest player must always have the same 
interface as in Fq, i.e., in Fx/n., B must have the same interfaces as in F0, and in F|b}, A must 
have the same interfaces as in Fq. We also require that F{a} and F{b} allow the adversary to play 
honestly, i.e., they must be at least as good for the adversary as the functionality F0. 

We say that a protocol P having access to the functionality G^| securely implements a func- 
tionality F, if the following conditions are satisfied: First of all, we require that the protocol has 
almost the same output as F, if both players are honest. Second, for A = {p}, we require that the 
adversary attacking the protocol has basically no advantage over attacking F directly. We thus 
require that for every m-bounded program A p , there exists a s-bounded program S p (called the 
simulator), such that the overall outputs of both situations is almost the same, for all inputs. For 
simplicity, we do not make any restrictions on the efficiency of the simulator:^. Also, we do not 
require him to use the adversary A p as a black-box: S p may be constructed from scratch, under 
full knowledge of the behaviour of A p . In particular, we allow him to execute some or all actions 
of A p in a single round. Recall, that a memory bound is applied only after each round. Thus, 
when executing A p in a single round, the simulator will not experience any memory bound. This 
model is motivated by the physically realistic assumption that such memory bounds are introduced 
by adding specific waiting times after each round. Hence, this does not give the simulator any 
memory. However, in order to make protocols composable with other protocol in our model, we 
do require the simulator to be memory-bounded as well. The amount of memory required by the 
simulator gives a bound on the virtual memory the adversary seems to have by attacking the real 
protocol instead of the ideal one. Ideally, we would like S p to use the same amount of memory as 
A p . The simulator S p can be represented by two quantum channels. The first channel maps the 
input and the auxiliary input to an input to the ideal functionality, and to a state of at most s 
qubit. The other channel maps that state and the output of the ideal functionality to the output 
of the simulator. 

Definition 3.1. A protocol P(F) = (P,4,Pg)(F) implements G with an error of at most e, secure 
against m-bounded adversaries using s-bounded simulators, if 

• (Correctness) P(F0) = £ G0 . 

• (Security for A) For every m-bounded A B there exists a s-bounded S B , such that 

(P A ,A B )(F {B} ) ^ £ S B (G {B} ). 

• (Security for B) For every m-bounded A A there exists a s-bounded S A , such that 

(A A ,P B )(F {A} ) ^ £ S A (G {A} ). 

3 G may also be a collection of functionalities. 

4 Recall that the adversary is computationally unbounded as well. 
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An important property of our definition is that it allows protocols to be composed. The following 
theorem shows that in a secure protocol that is based on an ideal, non-interactive functionality G 
and some other funtionalities Gj£|, we can replace G with a secure implementation of G, without 
making the protocol insecure. The theorem requires that G is called sequentially, i.e., that no other 
subprotocols are running parallel to G. The proof uses the same idea as in the classical case [10] . 

Theorem 3.2 (Sequential Composition Theorem). Let F and G be non-interactive functionalities, 
and G' and H be arbitrary functionalities. Let P(G||G') be a protocol that calls G sequentially 
and that implements F with error of at most e\ secure against m\-bounded adversaries using s%- 
bounded simulators, and let Q(H) be a protocol that implements G with error of at most £2 secure 
against ni2-bounded adversaries using S2-bounded simulators, where m,2 > s±. Then P(Q(H)||G') 
implements F with error at most e\ + £2, secure against min(mi, 1112) -bounded adversaries using 
S2-bounded simulators. 

Proof. (Sketch) If both players are honest, the statement follows directly from the properties of the 
trace distance, since we have P(G(j||G0) = £l P(Q(H0)||G0), and hence Fg = £l+£2 P(Q(H0)||G ). 

Let A be honest, and let B attack the protocol P(Q(H)||G') by executing Ab- We cut Ab 
into three parts. Let Ag be executed before protocol Q starts, A B ^ during Q, and A B after 
Q. Since A B ^ is min(mi, m2)-bounded and Q is secure, there exist a si-bounded Sq\ such that 

(Qa, Ag )(Hr B i) = £2 Sg^GjB})- Let A' B be the program that results from joining A B °\ S B , and 

(2) 

Ag . Because of max(min(mi, 777.2), s i) < m 2, A' B is 7772-bounded and P is secure, there exists a 
^-bounded Sb, such that (Pa, A B )(G{ B }||G'| B |) = Sl Sb(F| B }). It follows now from the properties 
of the trace distance that Sb is a simulator that satisfies the security condition for A with an error 
of at most e\ +62- The security for B can be shown in the same way. □ 

Interactive functionalities. The definitions above only apply to non-interactive functionalities, 
i.e. functionalities that consist of just one input/output phase. In general, we would also like to 
securely implement functionalities with several such phases. The most prominent example of such 
a functionality is bit- commitment, which has two phases, a commit-phase, and an open-phase. 

The security definitions and the composition theorem generalize to the multi-phase case. Ba- 
sically, all phases by themselves can be treated as individual, non-interactive functionalities, using 
the security definition given above. We can assume that the adversary always sends his internal 
classical and quantum state to the environment at the end of each phase, and receives it back at 
the beginning of the next phase. The adversary can thus be modeled by individual adversaries for 
each phase. However, since the ideal functionalities between the different phases are connected by 
some shared memory, i.e., the actions of the functionality in the second phase may depend on the 
actions in the first phase, the simulator must be allowed to use some classical memory between the 
rounds. 

4 Randomized Oblivious Transfer 

We now apply our framework to the randomized OT protocol presented in [T7]. In particular, we 
prove security with respect to the following definition of randomized oblivious transfer. We show 

We denote the concatenation of the functionalities G and G' by G||G'. 
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in the appendix how to obtain the standard notion of OT from randomized OT. Note that in our 
version of randomized OT, also the choice bit c of the receiver is randomized. 

Definition 4.1 (Randomized oblivious transfer). (^j-ROT^ (or, if I is clear from the context, ROT) 
is defined as ROT = (ROT®, ROT{ A y, ROT{ B y), where 

• ROT$: The functionality chooses uniformly at random the value (xq,xi) Er {0,1}^ x {0,1}^ 
and c £r {0, 1}. It sends (xq,x\) to A and (c,y) to B where y = x c . 

• ROT{ A y The functionality receives (xq,xi) € {0,1}^ x {0,1}^ from A. Then, it chooses 
c £r {0, 1} uniformly at random and sends (c,y) to B, where y = x c . 

• /?07"{g}/ The functionality receives (c,y) € {0,1} x {0,1}^ from B. Then, it sets x c = y, 
chooses x\- c Er {0, l} e uniformly at random, and sends (xq,xi) to A. 

We first briefly recall the protocol. The protocol BQS-OT = (BQS-OT A , BQS-OT B ) uses a 
noiseless unidirectional quantum channel Q-Comm, and a noiseless unidirectional classical channel 
Comm, both from the sender to the receiver. Let h : TZ x {0, l} n — > {0, 1} be a two-universal hash 
function. The sender (A) and receiver (B) execute the following: 

Protocol 1: BQS-OT A 

1. Choose x Er {0, 1}™ and b Er {0, l} n uniformly at random. 

2. Send \x)b := (jxi)^, . . . , |x n )b n ) to Q-Comm, where \xi)b t is Xi encoded in the basis hi. 

3. Choose ro,ri £r 1Z uniformly at random and send (b,ro,ri) to Comm. 

5. Output (sq,si) := (/i(ro,X|o), a;|i)), where x\j is the string of all x« where bi = j. 



Protocol 2: BQS-OT B 

1. Choose c £r {0, 1} uniformly at random. 

2. Receive the qubits (qi, . . . , q n ) from Q-Comm and measure them in the basis c, which gives 
output x' £ {0,1}™. 

3. Receive (b, ro,r\) from Comm. 

4. Output (c, y) := (c, h(r c ,x', c )), where x', is the string of all x\ where bi = c. 



Note that the values x\q, x\i and xj c are in fact padded by additional to have a length of n 
bits. This padding does not affect their entropies. A memory bound is applied before step 1, and 
before step 3 of the receiver. 

Security against the sender. We first consider the case when the sender, A, is dishonest. This 
case turns out to be quite straightforward. In general, we can describe any action of the adversary 
by a unitary followed by a measurement in the computational basis. We use the following letters to 
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refer to the different classical and quantum registers available to the adversary: Let Q denote the 
quantum register. Note that since we assume that our adversary's memory is m-bounded, the size 
of Q does not exceed m. Let Mq and Mr denote the quantum and classical registers, that hold 
the messages sent to the receiver. Let K, denote the classical input register of the adversary. Finally, 
let A denote an auxiliary quantum register. Recall from Section [21 that any quantum operation on 
Q and Mq can be implemented by a unitary followed by a measurement on an additional register 
A. Wlog we let A and Mq be measured in the computational basis to enforce a memory bound. 

To model quantum and classical input that a malicious A may receive, we let Q start out in 
any state p; n , unknown to the simulator. Likewise, K, may contain some classical input k{ n of A. 
Wlog we assume that all other registers start out in a fixed state of |0). We can then describe the 
actions of A by a single unitary Aa defined by 

A A (^8)|0)(0|®^(8)|0)(0|(g)|0)(0|)A A = ( Po^(8)^(8) p Xb ® \b, r , n)(b, r , n\ . (1) 
Q A K. Mq Mk QA k Mq M k 

Note that without loss of generality Aa leaves fC unmodified: since K, is classical we can always 
copy its contents to A and let all classical output be part of A. To enforce the memory bound, 
assume wlog that A and Mq are now measured completely in the computational basis. We now 
show that for any adversary Aa there exists an appropriate simulator Sa- 

Lemma 4.2. Protocol BQS-OT is secure against dishonest A. 

Proof. Let Sa be defined as follows: Sa runs A/Jfl, and measures register Mq in the basis deter- 
mined by Mk- This allows him to compute so = h(ro,x\ ) and si = h(ri,x\i). Sa then sends 
so and s\ to ROT{a}. It is clear that since the simulator based his measurement on Mk, s o an d 
s\ are consistent with the run of the protocol. Furthermore, note that Sa did not need to touch 
register Q at all. We can thus immediately conclude that the environment can tell no difference 
between the real protocol and the ideal setting. □ 

Security against the receiver. To prove security against a dishonest receiver requires a more 
careful treatment of the quantum input given to the adversary. The main idea behind our proof is 
that the memory bound in fact fixes a classical bit c. Our main challenge is to find a c that the 
simulator can calculate and that is consistent with the adversary and his input, while keeping the 
output state of the adversary intact. To do so, we use a generalization of the min-entropy splitting 
lemma in [16], which in turn is based on an earlier version of |45j . It states that if two random 
variables Xq and X\ together have high min-entropy, than we can define a random variable C, such 
that X\_c has least half of the original min-entropy. To find C, one must know the distributions of 
Xq and X\. In the following generalization, we do not exactly know the distribution of Xq and X%, 
since we assume that its distribution also depends on an unknown random variable J, distributed 
over a domain of the size 2^. Note that (3 = give the min-entropy splitting lemma in [16J. 

Lemma 4.3 (Generalized Min-Entropy Splitting Lemma). Let e > 0, and < j3 < a. Let J 

be a random variable over {0, . . . , 2^ — 1}, and let Xq, X\ and K be random variables such that 

6 As described in Section Sa can effectively skip the wait time required for the memory bound to take effect, 
since he can execute Aa before his memory bound is applied. 
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H^ sin (XoXi I KJ) > a. Let f{xQ,x\,k) = 1, if there exists an j € {0, . . . , 2^ — 1} such that 
p Xi\Kj(xi,k,j) > 2~ { - a '^/' 2 , and otherwise, and let C := f(X ,X 1 ,K). We have 

H^X^cC | KJ) > . 

Proof. Let S J k be the set of values x\ for which Px!\Kj(xi,k,j) > 2~ ( - a ~^/ 2 . We have \S 3 k \ < 
2 (a-/3)/2 5 gince all values in have a probability that is at least 2~( Q ~ /3 )/ 2 . Let S k := (Jj S j k . We 
have |5 fc | < 2^ • 2( a -«/ 2 = 2^ a+ ^/ 2 . 

Let K = k and J = j. Because C = implies that Xi ^ S^, and thus also that X\ S k , we 
have Px!C\kj( x 1i 0j fejj) < 2^ a ~^/ 2 . It follows from the assumption that there exists an event £ 
with probability 1 — e such that for all xo, xi, and j, we have -Pv Xi£'|_ft"j( 2; 0; ^1, k, j) < 2 _a . It 
follows that 

Px CS\Kj(x ,l,k,j) = Px x ie \Kj(x ,xi,k,j) < 2^/ 2 ■ 2~ a = 2-^-V' 2 . 

x±&S k 

The statement follows. □ 

We now describe the actions of the adversary. Let Q denote his quantum storage register, and 
let A denote an auxiliary quantum register as above. Again, the size of Q does not exceed m. Let 
/C denote his classical input register, and let A4 denote the register holding the quantum message 
he receives from the sender in step 2. Let £ denote the message register holding the classical 
messages he receives in step 3. Again, we assume that Q is initialized to his quantum input state 
Pi n . Likewise, K is initialized to his classical input k m . All other registers are initialized to |0). We 
can now describe the actions of the adversary by two unitaries, where a memory bound is applied 
after the first. The action of the adversary following step 2 can be described as a unitary Ag 1 ^ 

similar to Eq. [lj Note we can again assume that Ag 1 ^ leaves K, unmodified. To enforce the memory 
bound, we now let register M. and A be measured in the computational basis. We use p ut G Q to 
denote the adversaries quantum output, and k out £ M. ®A to denote his classical output. After the 

memory bound is applied, the receiver obtains additional information from the sender. The actions 

(2) 

of the adversary after step 3 can then be described by a unitary A B followed by a measurement 
of quantum registers M. and A in the computational basis. 

In order to make the proof easier to understand, we build it up in 3 steps: First, we analyze the 
easy case where there is no quantum auxiliary input, which is essentially equivalent to the original 
security proof. Then we extend it, by allowing the adversary some quantum auxiliary input of size 
f3, pure and mixed. We start with = 0, but keep as a parameter, so that we can later generalize 
the statement. 

Lemma 4.4. Protocol BQS-OT is secure against dishonest B with an error of at most be, if he 
receives no quantum (auxiliary) input, and his quantum memory is bounded before step 1 and 
between step 2 and 3 by m qubits, for 



+ 2(3 + 4m < n - 20 A 3 /n 2 log- - 12 log - - 4, 

e e 



where (3 is a parameter. 
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Proof. Let K~i n be the classical auxiliary input the adversary receives, and let l^m) = \j) be the 
auxiliary quantum input for some fixed j known to the simulator. First of all, the simulator 
simulates the actions of the sender following steps 1 and 2, using a random string X and a random 
basis B. The simulator then applies Ag\ which gives him some classical output K out , and a 
quantum state p on t . It follows from the uncertainty relation of Lemma 12.31 that 

H^n(X | BK out K in ) > a , 



for a := re/2 - lO^/re 2 log(l/e). Let (X ,Xi) := X, where X := X\ and X\ := X\\ are the 
substrings of X defined in the same way as in the protocol. Note that since the simulator holds 
a description of l^m) and he knows Px x 1 BK out K in , and thus we can apply Lemma l4~3l for 

K = (B, K out ,Ki n ) and a constant J (or, = 0). Since the simulator knows the values Xq, X\ and 
K, he can calculate the value C := f(Xo,Xi,K), for which we have 

H Lin( X l-cC | K) > — - . 

The simulator now chooses Rq and R\ uniformly at random and calculates Sq = h(Ro,Xo) and 
S% = h(R\,Xi). Since Rq and R\ are independent of Xq, X\ and C, we have 

-^min(^l-C*C | K) = H^JXi-cC | RcK) . 

Using the chain rule from Lemma |2. II and the monotonicity of , we obtain 

H^X^c I CRcKSc) > H e mhl (X^ c ScC \ R C K) -(£ + !)- log i 

> H^ m (X^ c C | R C K) -(£ + !)- log - £ 

> — 2-^-£-l-log-. 

By using the privacy amplification Theorem 12.21 we get that S\-c is 5e close to uniform with 
respect to (Rq, R 1 , C, S c , B, K out ,K in ) and p out if 

£ < — — — — £ — 1 — log m — 2 log - . 

2 £ £ 

By replacing a and rearranging the terms we get the claimed equation. 

The simulator now sets Y := Sc, and sends (C,Y) to ROT{ B j. To complete the simulation, he 

runs ; as the adversary would have. Note that the simulator did not require any more memory 
than the adversary itself, i.e., we can take Sb to be m-bounded as well. Clearly, the simulator 
determined C solely from the classical output of the adversary and thus the adversaries output 
state in the simulated run is equal to the original output state of the adversary p ut 55 feout • Since 
the only difference between the simulation and the real execution is that in the simulation, Si—c 
is chosen completely at random, the simulation is 5e-close to the output of the real protocol. □ 

We now show how to extend the above analysis to the case where the adversary's input is pure. 
Note that if the adversary's input is pure, the adversary cannot be entangled with the environment. 
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Lemma 4.5. Protocol BQS-OT is secure against dishonest B with an error of at most be, if he 
receives a pure state quantum ( auxiliary ) input, and his quantum memory is bounded before step 1 
by (3 qubits, and between step 2 and 3 by m qubits, for 



3, ... 1 1 



8£ + 2(3 + 4m < n - 2Q\ n 2 log - - 12 log - - 4. 

V e e 

Proof. Let |j) for j E {0, . . . ,2^} be a basis for the quantum auxiliary input. Any fixed auxiliary 
input \j) and k m fixes a distribution Px a X\K\ j=ji where K is the classical value the adversary has 
after second memory bound. Using the same argumentation as in Lemma 14.41 but now using the 
generalized min-entropy splitting lemma with [3 > 0, we can construct a simulator that does not 
need to know j, nor the distribution Pj. 

Hence, the simulator can construct a linear transformation acting on registers Q, A4, A, /C, X, 
B, 1Z, and C combing the actions of and the extraction of c using the function / as defined 
above. We have 

S l(^2 a j \j) ®Jz&).® |0) tgijfcin).® \x) \b) ®|r ,ri}<g> |0) ® |0) 



E 

q,m\,ai 



1 Q M A K X B K C y 

oi q ,ra ltai \q) <S> \mi) <g> |oi) <g) |Mn) ® \x) 8) \b) ® \ r , r\ ) (8) |c) ®|so,si)) 
q m A k x b n c y 



for any pure state input l^in) = J2j a j\j)- Wlog, all registers except Q are now measured in 
the computational basis as the memory bound takes effect. The input state \^m) will define the 
distribution of J for the generalized min-entropy splitting lemma. The rest follows as above. □ 

It remains to address the case where the receiver gets a mixed state quantum input. This 
is the case where the adversary receives a state that is entangled with the environment. Note 
that this means that we must decrease the size of the adversaries memory: If he could receive an 
entangled state of (3 qubits as input, he could use it to increase his memory to m + (3 qubits by 
teleporting qubits to the environment, and storing the remaining m. Hence, we now have to take 
the adversary to be m'-bounded, where m! := m — (3. Luckily, using a a similar argument as in [43], 
we can now extend the argument given above: Note that for any pure state input \^) = l^in} ®k- iri , 
the output of the simulated adversary is exactly A(| 1 5 r )( 1 J r |), where A is the adversaries channel. 
Since {|*)(*|||*) G Q®/C, |||^)|| = 1} spans all of T(Q<g)/C) and the map given by the simulation 
procedure is the same as A on all inputs, we can conclude that the complete map is equal to A. Note 
that the simulator does not need to consider the {3 qubits that the adversary might have teleported 
to the environment: we can essentially view it as part of the original adversaries quantum memory, 
and the simulator bases his decision solely on the classical output of the adversary. Hence: 

Lemma 4.6. Protocol BQS-OT is secure against dishonest B with an error of at most 5e, if he 
receives a quantum (auxiliary) input, and his quantum memory is bounded before step 1 by (3 qubits 
and between step 2 and 3, by m qubits, for 



3, 1 1 



8£ + 6(3 + 4m < n - 20A /n 2 log- - 12 log - - 4. 

V £ £ 

The following theorem follows now directly from Lemma 14.21 and 14.61 
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Theorem 4.7. Protocol BQS-OT(Q-Comm\\Comm) implements (fy-R07* with an error of at most 
he, secure against m-bounded adversaries using m-bounded simulators, if 



8£ + 10m < n - 20^ n 2 log - - 12 log - - 4. 

Note that there are ways to improve on these parameters. For example, the splitting lemma 
defines the function / in an asymmetric way, which implies that for C = 1, in fact the bound also 
holds for the conditional min-entropy of Xq given X±. Thus, we would not need to additionally 
apply the chain rule for this case. We did not do this here to keep the proof simple. 

4.1 On Parallel Composition 

For efficiency, it would be important to know if the protocol from last section would also be secure 
under parallel composition. Unfortunately, this is not an easy task: First, consider executing the 
protocol in parallel, when the sender and receiver are the same for each instance of the protocol. 
Clearly, the overall memory of the committer cannot exceed the amount of memory he would be 
allowed for a single execution of the protocol: otherwise he could cheat in at least one instance of 
the protocol. However, even when imposing such a constraint, parallel composition remains tricky: 
Second, consider the case where we run two instances of the protocol in parallel, where the roles 
of the sender (initially Alice) and the receiver (initially Bob) are exchanged in the second instance 
of the protocol. Let the malicious Bob behave as follows: Upon reception of the quantum states 
in the first instance of the protocol, he immediately returns them unmeasured to Alice. Later, he 
sends the very same values (b, ro, r±) back to Alice. Alice thus measures her own states, in her own 
bases. Thus, her output y of the second instance of the protocol will always be equal either to xq 
or to x\ of the first instance of the protocol. This is clearly something Bob would not be able to 
do in an ideal setting. This simple example already shows that great care must be taken when 
composing such protocols in parallel: no quantum memory was required to execute such an attack. 
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A Proof of Lemma 12.31 

To prove Lemma [2 .31 we need Lemma fA.2l below and the following Theorem lA.il which is Corollary 
3.4 in the full version of [16j. 

Theorem A.l (Uncertainty Relation [16]). Let p 6 §>(Ttf n ) be an arbitrary quantum state. Let 
G = (0i, . . . , n ) be uniformly distributed over {+, x} and let X = [X\, . . . , X n ) be the outcome 
when measuring p in basis Q . Then for any < A < \ 



H £ min (X\e)>(--2X)n 
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Lemma A. 2. For all < x < 0.5, we have 



1 e 3 ln(2) 2 



> ■ • x 



(2 - log(x)) 2 ~ 54 

Proof. Since (2 — log(x)) -2 — ► for x — ► 0, it suffices to show that, for all < x < 0.5, 

d 1 2 1 e 3 ln(2) 2 



dx(2-log(x)) 2 ln(2) (2 - log(x)) 3 x ~ 54 
with is equivalent to require that 

/(*):= ^(2 -log(x)) 3 x< ^ 



e 3 ln(2) 2 ' 
We have 

f(x) = -3(2 - log(x)) 2 + (2 - log(x)) 3 ln(2) , 

and since the polynomial — 3x 2 + x 3 ln(2) has a double root at and a single root at 3/ ln(2), and is 
positive if and only if x > 3/ ln(2), it follows that f(x) has one double root at 4, and one single root 
at 4/e 3 . It is positive for < x < 4/e 3 and negative for 4/e 3 < x < 0.5. Hence, f(x) is maximal 
for x = 4/e 3 , where /(4/e 3 ) = 54/(e 3 ln(2) 2 ). □ 

Proof of Lemma HQ . Following the standard approach (see also [E]), we consider a purified version 
of our situation: Alice creates n EPR pairs, and sends the second half of each pair to Bob. His 
measurement is then applied onto the second half of these pairs, which has output K. Then, we 
choose uniform a random basis E {+, x} n , and measure the first half in this basis, which gives 
us the string X. The output of the purified situation is identical to the situation in the statement, 
however it allows us to apply Corollary IA.1I 

From 10^/n 2 log(l/e) = n/2{/80001og(l/e)/n follows that n/2 > 10 ^/n 2 log(l/e) if and only 
if n > 80001og(l/e). Thus, nothing has to be shown if n < 8000 log (1/e). If n > 8000 log(l/e), we 
choose A := 5y/l/n- log(l/e) and A' := 1/n • log(l/e), and get 



a/1 ,__, n y^ . C a 1 1 ^ 1 ^_ C 3 1 1 



A = 5{/ - • log(l/e) < 5? ———— ■ log(l/e) = 5{/ = - 



n 



20 3 -log(l/e) V 20 



The statement follows from 



exp ( , A ' n ^ < exp (-^) = < 2 ~W^ < 2~^/e) = £ . 

! s 32- (2-io g (A)) 2 y - P V 180 / 

□ 



B Oblivious Transfer from ROT 

Oblivious transfer is defined as follows: 

Definition B.l (Oblivious transfer). The functionality (^)-OT^ receives input (xq,x\) £ {0,1}^ x 
{0, 1}^ from A and c E {0, 1} from B, and sends y := x c to B. 
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The protocol OTfromROT, proposed in [5], securely implements OT using ROT and Comm. 



Protocol 3: OTfromROT A 

1: Receive input (x , x\) G {0, l} e x {0, l} e and (a^, x[) G {0, l} e x {0, l} e from ROT. 
2: Receive d G {0, 1} from Comm. 

3: Send (mo, mi) G {0, l} e x {0, l} e to Comm, where m; := X{ © x' i(Qd . 



Protocol 4: OTfromROT B 

1: Receive input c G {0, 1} and (c',y ; ) G {0, 1} x {0, l} e from ROT. 
2: Send d := c' © c to Comm. 

3: Receive (mo, mi) G {0, 1} x {0, 1}^ from Comm and output y := m c © y' to B. 



Theorem B.2. For every m > 0, OTfromROT((T\-ROr\\Comm) implements (^)-OT^ no 
error, secure against m-bounded adversaries using m-bounded simulators. 

Proof. It is easy to verify that the protocol is correct, if A = 0. 

Let A = {A} and Aa be a quantum adversary. Aa receives some auxiliary inpu10, and outputs 
(x'qjX'i) which are the inputs to ROTa- Then it receives d, and finally output (mo, mi) and some 
auxiliary output. The simulator Sa works as follows. It receives some auxiliary input, and then 
executes Aa, using the auxiliary input. It stores the values (x ,x'i) returned by Aa, and sends 
it a value d chosen uniformly at random. Aa then outputs (mo, mi) and some auxiliary output. 
The simulator outputs the auxiliary output and sends the values for i G {0, 1} to 

OT. It is easy to verify that the real and the simulated situations give exactly the same output 
distribution. 

Let A = {B} and Ab be a quantum adversary. Ab receives some auxiliary input and outputs 
(c' ,y'), which are the inputs to ROTa, and a value d. Then it receives the values (mo, mi), and 
outputs some auxiliary output. The simulator works as follows. It receives some auxiliary input, 
and then executes Ab on the auxiliary input, which outputs (c' ,y') and a value d. The simulator 
now sends c := c' © d to OT, and receives a value y back. Then, it sets m c >§d := y © y', chooses 
the other value m c /^0i uniformly at random, and sends (mo, mi) to Ab- Finally, it outputs the 
auxiliary output that Ab returns. It is easy to verify that the real and the simulated situations 
give exactly the same output distribution. □ 

C Bit-Commitment from ROT 

In [17] , a bit-commitment protocol is presented and proved secure for a weak binding condition. In 
|16j . it is shown that the same protocol is in fact also secure under a stronger binding condition. 
However, as for ROT, their proof does not take auxiliary inputs into account. In a similar way 

7 Now, auxiliary inputs and output are always both classical and quantum. 
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as ROT, their protocol could be proven secure in our framework. But because protocols can 
be composed in our framework, we can now give a much simpler proof: We can implement bit- 
commitment based directly on ROT. The composition theorem then implies that if ROT is replaced 
by an instance of BQS-OT, the bit-commitment protocol remains secure. The BC functionality is 
defined as follows. 

Definition C.l. The functionality BC has two phases, which are defined as follows: 

• Commit: BC receives b £ {0, 1} from A and sends _L to B. 

• Open: BC receives a £ {0, 1} from A. If a = 1, it sends b to B. Otherwise, it sends _L. 

Let (^)-TOR^ be a reversed version of of (^)-ROT £ , i.e., B is the sender and A is the receiver. The 
protocol OTtoBC = (OTtoBCA, OTtoBCe) uses (^)-TOR^ and a noiseless unidirectional classical 
Comm from A to B to implement BC. We now first describe the actions of the committer. 



Protocol 5: OTtoBC A 




Commit: 




1. Receive input b from A and (c, 


y) £ {0, 1} x {0, 1}" from TOR. 


2. Send m := b © c to Comm. 




Open: 




1. Receive input a from A. If a = 


1, then send (b, y) to Comm, and (J-,_L) otherwise. 



The actions of the verifier are specified by: 

Protocol 6: OTtoBC B 
Commit: 

1. Receive (xo,x\) from TOR . 

2. Receive m from Comm and output _L. 

Open: 

1. Receive (b, y) from Comm. 

2. If (6, y) / (_L, _L) and Xb^ rn = y, then output b, and _L otherwise. 

Theorem C.2. For every m > 0, OTtoBC((^j-TOF^\\Comm) implements BC with an error of at 
most , secure against m-bounded adversaries using m-bounded simulators. 

Proof. It is easy to verify that the protocol is correct, if A = 

Let A = {A} and Aa be a quantum adversary. In the commit phase, it receives some auxiliary 
input, sends (c, y) to TOR and m to Comm and outputs some auxiliary output. In the open phase, 
it receives some auxiliary input, sends (6, y') to Comm, and outputs some auxiliary output. Note 
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that in the real execution, if (b,y') = (c © m, y), the protocol outputs b to B in the open phase. 
On the other hand, if b ^ c © m, the protocol will only output 6 to B, if y = x\- c . Since x\~ c is 
chosen uniformly at random, this will only happen with a probability of 2 . The simulator Sa 
does the following: In the commit phase, it receives the auxiliary input, and sends it to Aa to 
run the commit phase, from which it receives (c, y), m, and some auxiliary output. It outputs the 
auxiliary output, sends cffim to BC, and saves c©m in his classical memory. In the open phase, it 
receives some auxiliary input and sends it to Aa to run the open phase. It receives (b, y') from Aa, 
and sends a = 1 to BC if b = c © m, and a = otherwise. Finally, it outputs the auxiliary output 
of Aa- It is easy to verify that simulation is equal to the real execution, except with probability at 
most 2 . 

Let A = {B} and Ab be a quantum adversary. In the commit phase, it receives some auxiliary 
input, sends (xo,x\) to ROT, receives m, and outputs some auxiliary output. In the open phase, 
it receives some auxiliary input and (b, y) from Comm, and outputs some auxiliary output. The 
simulator Sb does the following: In the commit phase, it receives some auxiliary input, and sends 
it to Ab, from which it receives {xq,x\). Then, it sends a value m chosen uniformly at random 
to Ab, and gets some auxiliary output back. It outputs the auxiliary output, and stores (xq,xi) 
and m in the classical memory. In the open phase, it receives some auxiliary input, and a value b' 
from BC. If b' =_L, it sets y :=X, and y := xy^ m otherwise. It sends the auxiliary input and (b',y) 
to Ab, and outputs the auxiliary output returned by Ab- It is easy to see that the simulation 
produces always exactly the same output as the simulation. □ 

Let BQS-TO be the same protocol as BQS-OT, but in the opposite direction. Using Theorem l4.7l 
and lC.2l as well as Theorem 13.21 and by choosing I := logl/e, we get 

Theorem C.3. The Protocol OTtoBC(BQS-TO(Q-Comm\\Comm)\\Comm) implements BC with an 
error of at most 6e, secure against m-bounded adversaries using m-bounded simulators, if 
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